Xfinity waited 13 days to patch essential Citrix Bleed 0-day. Now it’s paying the worth

Photo of author

By Calvin S. Nelson

Enlarge / A Comcast Xfinity service van in San Ramon, California on February 25, 2020.

Getty Photos | Smith Assortment/Gado

Comcast waited 13 days to patch its community towards a high-severity vulnerability, a lapse that allowed hackers to make off with password information and different delicate data belonging to 36 million Xfinity prospects.

The breach, which was carried out by exploiting a vulnerability in community {hardware} offered by Citrix, gave hackers entry to usernames and cryptographically hashed passwords for 35.9 million Xfinity prospects, the cable TV and Web supplier stated in a notification filed Monday with the Maine legal professional normal’s workplace. Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the identify Citrix Bleed, had been below lively exploitation since August. Comcast didn’t patch its community till October 23, 13 days after a patch grew to become obtainable and 5 days after the report of the in-the-wild assaults exploiting it.

“Nevertheless, we subsequently found that previous to mitigation, between October 16 and October 19, 2023, there was unauthorized entry to a few of our inner techniques that we concluded was a results of this vulnerability,” an accompanying discover acknowledged. “We notified federal regulation enforcement and carried out an investigation into the character and scope of the incident. On November 16, 2023, it was decided that data was possible acquired.”

Comcast continues to be investigating exactly what information the attackers obtained. To date, Monday’s disclosure stated, data recognized to have been taken contains usernames and hashed passwords, names, contact data, the final 4 digits of social safety numbers, dates of delivery, and/or secret questions and solutions. Xfinity is Comcast’s cable tv and Web division.

Citrix Bleed has emerged as one of many yr’s most extreme and broadly exploited vulnerabilities, with a severity ranking of 9.4 out of 10. The vulnerability, residing in Citrix’s NetScaler Software Supply Controller and NetScaler Gateway, could be exploited with none authentication or privileges on affected networks. Exploits disclose session tokens, which the {hardware} assigns to gadgets which have already efficiently offered login credentials. Possession of the tokens permits hackers to override any multi-factor authentication in use and log into the gadget.

Different firms which were hacked by means of Citrix Bleed embody Boeing; Toyota; DP World Australia, a department of the Dubai-based logistics firm DP World; Industrial and Industrial Financial institution of China; and regulation agency Allen & Overy.

The identify Citrix Bleed is an allusion to Heartbleed, a distinct essential data disclosure zero-day that turned the Web on its head in 2014. That vulnerability, which resided within the OpenSSL code library, got here below mass exploitation and allowed the pilfering of passwords, encryption keys, banking credentials, and all types of different delicate data. Citrix Bleed hasn’t been as dire as a result of fewer susceptible gadgets are in use.

A sweep of essentially the most lively ransomware websites didn’t flip up any claims of accountability for the hack of the Comcast community. An Xfinity consultant stated in an electronic mail that the corporate has but to obtain any ransom calls for, and investigators aren’t conscious of any buyer information being leaked or of any assaults on affected prospects.

Comcast is requiring Xfinity prospects to reset their passwords to guard towards the likelihood that attackers can crack the stolen hashes. The corporate can be encouraging prospects to allow two-factor authentication. The consultant declined to say why firm admins did not patch sooner.

Leave a Comment